Y, did you have the extension logic to call to PSTN in [default] ??? If yes, then your system was not hacked...
you need to read some documentation and find out the [default] context is supposed to be non-secure... if you allow routes to PSTN in [default] then you're inviting others to call out Martin On Wed, Mar 25, 2009 at 9:40 AM, David Anthony O Reilly <[email protected]>wrote: > Hi all > I have been hacked but no idea how!!! I noticed somebody in Eastern Europe > came from an American IP and tried to call loads of international numbers. > Thankfully I had no credit with my VOIP out provider so the calls went > nowhere. But if I had credit it would all have been used up. > > I noticed hundreds of calls being made from clid and src being either > UNKNOWN or as ASTERISK. > > Here are a sample: > > 2009-03-24 16:47:14 "asterisk" <asterisk> asterisk 0037322483581 default > SIP/66.199.242.101-09da9128 IAX2/out-1497 Dial iax2/out/0037322483581 8 6 > ANSWERED 3 1237913234.1077 > 2009-03-24 16:47:15 "Unknown" <Unknown> Unknown 00380449536745 default > SIP/66.199.242.101-09da5230 IAX2/out-516 Dial iax2/out/00380449536745 8 7 > ANSWERED 3 1237913235.1081 > > I've reported it to the authorities and they are doing a backtrace to find > the hacker, and in the meantime I have set my firewall that ONLY SIP > requests from my own IP address can connect so my home phones can connect. > > My config is ALL NORMAL - I am careful about putting it up here in case > somebody else tries a fast one on me, but what I can tell you is that my > passwords are all SHA1 substrings and there is no way in hell somebody could > guess them. My box was not compromised either, as I went through my message > logs, my ISP also has a server firewall rule set up so that one false > password and the details are logged and I'm notified as somebody also tried > a dictionary attack on me. > > So now my system is all ruled up and I can only use it from here, if I am > out and about I can't use it. > > Anybody have any ideas about what I can do to try and find this security > hole??? I am sure it's a bug as surely nobody should have been able to log > into asterisk WITHOUT a password (from what i can see!!) and make calls out > leaving the source and id as UNKNOWN or ASTERISK. > > Thanks in advance > David > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
